Creating a Windows 2022 Server VM on Proxmox 7

Creating a VM is an easy enough task that can be left to defaults a lot of the time. But if you want the best performance/options under Proxmox, you will have to go through a few minor hoops as Windows Server 2022 (or prior) does not have the drivers needed for everything built in.

• Click on Create VM to get the dialog box. First click on Advanced if it is not already checked.
  

• Give the VM a name (2), ID (1), Start on boot (3), and order/delay (4) as desired. Then hit Next.

  • Everything below the line is hidden if you have not checked Advanced.
    

• Choose your ISO and Guest OS Type, then hit next.
  

• Since you specified a modern version of Windows, Proxmox automatically uses UEFI and you will need to specify EFI and TPM storage locations.

  • I always keep them on the same disk that will house the boot storage.
    

• By default, it will use VirtIO for storage, you want this, but will have to add a driver during the Windows install itself. Also enable the Qemu Agent, again the guest agent will have to be installed after Windows setup completes.
  

• Change the default IDE disk to SCSI (1), set the storage location (2), and your desired disk size (3).
  

• Assign the number of cores you need.
  

• Set your max memory (1), minimum memory (2), and ensure Balooning device (3) remains checked.
  

• Change the network adapter model to VirtIO (1). You will not have a working network on boot up. The VirtIO drivers will need installed first.
  

• Review and hit finish. Do not check Start after created.
  

• Select the VM and click on Hardware (1) and then Add (2)
  

• Choose CD/DVD
  

• Add the virtio-win ISO, you will need this mounted to add the storage driver during install.

  • Current stable ISO can be found here
    

• You can verify your boot order if you want, but it should still be correct.
  

• Open the Console
  

• Click Start Now
  

• Click in the window and press a key, because Microsoft still thinks all of us are fucking stupid.
  

• Set your options and hit Next.
  

• Hit install now.
  

• Choose your OS options and hit next.
  

• Accept the license and hit next.
  

• Choose Custom since Microsoft thinks a new install is an advanced task.
  

• Finally, you can load the VirtIO driver (1)
  

• Click Browse.
  

• Expand the virtio CD Drive
  

• Expand amd64 folder (1), click on 2k22 (2), and click OK (3)
  

• Click on Next and it will rescan for the disk, no need to click on rescan yourself.
  

• Now the disk is available, click next
  

• Windows will finish the install like normal and reboot.
  

• wait for it..... It will reboot again
  

• Create a password for the account you will delete anyway and click Finish. Because you don't leave Administrator do you?
  

• This example uses the Desktop Experience, so login and wait for the desktop. Close Server Manager and the WAC pop up.
  

• Open Device Manager
  

• You will see three things to fix.
  

• Right click and choose update driver for the Ethernet Controller.
  

• Choose Browse
  

• Browse again
  

• Expand the virtio ISO disk (1), expand netkvm (2), and select 2k22 (2), then click OK.
  

*Hit next and it will install the driver.

• Before you hit close, you will want to hit yes on the Network discoverability screen for most use cases.
  

• Repeat the process for the remaining two items.

  • PCI Device is the Baloon folder
    
    
  • PCI Simple Communications Controller is the vioserial folder
    
    

• Now you have all the drivers for the system devices.
  

• Finally, browse to the CD drive in Windows Explorer and install the guest agent
  

• You will know the guest agent is properly installed is you see the IP addresses on the Proxmox Summary screen.
  

• Shut down the VM
  

• Remove the extra CD drive
  

• Unmount the Windows ISO.
  
  

• Start the VM back up and setup the server for the task you installed it for

Always do this upgrade via the command line over SSH. This prevents HTTP/PHP timeouts from affecting you. You can use the console if you want, but SSH is normal.

1. Login with your non-root user. Because you never allow root to log in over ssh right?
2. Update the system

sudo yum upgrade -y

3. Upgrade the current modules.

sudo fwconsole ma upgradeall

4. Fix permissions, as module upgrades can leave some files owned by root.

sudo fwconsole chown

5. Reload the system to rewrite the config files.

sudo fwconsole reload

6. Reboot, to make sure everything in in a pristine state, or at least should be.

sudo reboot

7. Log back in and then switch to root. If you run the versionupgrade with sudo instead of as root, it fails to properly do everything, even though it says the upgrade succeeds.

sudo su -

8. Download the versionupgrade module

fwconsole ma downloadinstall versionupgrade

9. Fix permissions again as it messes up file permissions in /var/www/html after you install it.

fwconsole chown

10. Reload

fwconsole reload

11. Run the version upgrade check

fwconsole versionupgrade --check

• If you have an error about a deprecated module remove them and them reload.
  

fwconsole ma delete campon
fwconsle reload

• Then run the version check again.

12. It should be clean, so upgrade.

fwconsole versionupgrade --upgrade

13. Log back into the web interface

• Make sure everything looks normal
• Make a couple test calls, in, out, internal, etc.

14. Once everything looks good, hop back to your SSH session and reboot. Sure everything is runing now, but how do you know it will reboot correctly if you don't try it now?

reboot

15. Assuming everything come sup normally, you are done.

• The most common thing I find here is that I sometimes need to run fwconsole restart before the GUI shows a connection to Asterisk, even though everything is running.

To enable your system to make international calls, you will need a third trunk. This time duplicate the outbound trunk.

1. Click the edit icon to the right of the Skyetel_Outbound_NA trunk.
   

2. Click the Duplicate at the bottom of the screen.
   

3. Now you can click on the edit icon of the duplicated trunk, currently named Skyetel_Outbound_NA_copy_3.
   

4. On the General tab, change the Trunk Name to Skyetel_Outbound_International.
   

5. Switch to the PJSIP Settings -> General sub tab and change the SIP Server to hc.skyetel.com
   

6. Click on the Submit button.
   

7. Click on the Apply Config button.
   

8. You will see your trunk listed in the list and show as Enabled.
   

After setting up the inbound trunk, you might want to just be done with all of this, but all of the hard work is done. For the outbound trunk we can duplicate and edit, saving much time.

1. Click the edit icon to the right of the trunk.
   

2. Click the Duplicate at the bottom of the screen.
   

3. Now you can click on the edit icon of the duplicated trunk, currently named Skyetel_Inbound_copy_2.
   

4. On the General tab, change the Trunk Name to Skyetel_Outbound_NA.

   • NA stands for North America. You will duplicate this trunk after it is done and that trunk up for International and High cost NA calls.
     

5. Change Continue if Busy to Yes.
   

6. Switch to the PJSIP Settings -> General sub tab and change the SIP Server to out.skyetel.com
   

7. Switch to the Advanced sub tab and remove the list of IP addresses and CIDR blocks from Match (Permit).
   

8. Click on the Submit button.
   

9. Click on the Apply Config button.
   

10. You will see your trunk listed in the list and show as Enabled.
    

Now that you have Skyetel setup to deliver calls to your PBX, it is time to setup FreePBX to accept those calls. This is done by creating a Trunk.

1. Sign in to your FreePBX instance

2. Click on Connectivity and then Trunks
   

3. Click on the Add Trunk button to show a list of options and then click on Add SIP (chan_pjsip) Trunk

   • Be certain it says chan_pjsip or you will not have a working system.
   • Depending on your FreePBX configuration, you may still see the legacy chan_sip option. This will not work.
     

4. You will get the Add Trunk screen with 3 tabs, we will start on the General tab.
   

5. Trunk Name is a descriptive name for the trunk.

   • Name this one Skyetel_Inbound
   • It cannot have spaces, and FreePBX will auto populate an underscore (_) if you press space.
     

6. Hide CallerID should be set to No by default. Leave it that way.
   

7. Outbound CallerID should always be populated on all trunks as whatever your main number is with Skyetel.

   • This value is the default to use if a call goes out this trunk without any other Caller ID defined.
   • We will use the E.164 format for the number
   • + then Country Code then Number
   • The name section should be limited to 15 characters, the maximum for legacy POTS Caller ID.
   • Also, do not expect the name portion to be seen by most recipients. Skyetel will pass along whatever name is entered here, but it is up the the other side to accept it.
     

8. CID Options should be left on the default of Allow Any CID. You can read the help text to learn more about how this works.
   

9. Maximum Channels should be set to at least one higher than you set in the Fraud Alert for the Endpoint in Skyetel.

   • Only outbound calls are counted towards this maximum.
     

10. Asterisk Trunk Dial Options should never be changed from System
    

11. Continue if Busy can be left at No for the Skyetel_Inbound trunk as this only applies if the trunk is used in an Outbound Route
    

12. Disable Trunk must be set to No or the system will not use the trunk.
    

13. Monitor Trunk Failures is an advanced setting and does not mean what most people think. Leave it set to No.
    

14. Moving on to the Dialed Number Manipulation Rules tab, is easy as you will leave this all blank.

    • You do not do anything on this tab for a trunk, unless there are special circumstances.
    • More detail on this will be discussed in the Outbound Route setup.
      

15 On to the pjsip Settings tab, which has three sub tabs.

16. The General sub tab is where you tell the trunk what it is connecting to. You will leave Username, Auth username, and Secret empty.
    

17. Authentication will be changed to None, which cause the priors three fields to become disabled.
    

18. Registration is also set to None. This also gets changed automatically when Authentication was changed.
    

19. Language Code should be left on Default.

    • Trunk specific languages is an advanced task.
      

20. Sip Server will be set to in.skyetel.com

    • Prior to October 8, 2021 this was na.skyetel.com
      

21. SIP Server Port is 5060.

    • This is Skyetel's listening SIP port, not yours.
      

22. Context should be changed to from-pstn-e164-us, which matches the fact that our phone number in Skyetel will be sent in the E.164 standard.
    

23. Transport defaults to 0.0.0.0-udp and should be left that way.
    

24. Moving to the Advanced sub tab, most settings will be left at their default values.
    

25. Match (Permit) is the first that needs changed.

    • On this Skyetel_Inbound route, we need to enter the full list of IP addresses or CIDR blocks that Skyetel could ever send a call from. Skyetel maintains that list on the Skyetel IP Addresses article.
    • You need to add the 4 Standard IP addresses that in.skyetel.com resolves to, as well as the list of Emergency IPs
      
    • This must be added as a single comma separated line, here is a copy/paste version for you.

52.41.52.34/32,52.60.138.31/32,50.17.48.216/32,52.8.201.128/32,44.199.94.192/27,3.144.141.64/27,3.101.177.224/27,35.85.225.96/27,3.99.65.224/27,35.215.45.65,35.209.126.210,35.212.222.157

26. Trust RPID/PAI should be changed to Yes
    

27. Send RDPI/PAI should be changed to Both
    

28. Inband Progress, Direct Media, Rewrite Contact, and RTP Symmetric should be the correct value by default, but verify that they are No, No, No, and Yes respectively.
    

29. Final tab! Go to the Codecs tab and ensure that ulaw is in the list. By default it should be first.

    • Updating codecs is an advanced task not covered here.
      

30. Click on the Submit button.
    

31. Click on the Apply Config button.
    

32. You will see your trunk listed in the list and show as Enabled. Inbound calls will now hit your PBX.
    

Now that you have an Endpoint Group and Endpoint setup, you can setup your phone number(s) to point to so calls will be delivered to your PBX.

Setup a number to route to your PBX

1. Expand Phone Numbers
2. Click on either Local Numbers or Toll Free Numbers depending on what type of number you bought or ported in.
   • You will see a list of the phone numbers of that type that you own through Skyetel.
3. Click on the gear to the far right to edit the number
   

Number Editing

• There are up to 5 tabs of information you need to edit for each number, depending on what feature you need or want for a number. This guide will only be covering the General tab.
  

The General tab is where you choose how a number routes and what you want it to do in a failure to route to that selection.

1. Phone Number is obvious, and not editable. This is the phone number you are editing.
   

2. SIP Format is the way that Skyetel will deliver calls to this number, to your PBX.

   • By default Skyetel uses an 11 digit number format familiar to people in North America. This is called the NANPA or NANP format. I always recommend to change this to the E.164 format as it is an international standard, either format can work for FreePBX.
   • This guide and others related to FreePBX will assume the E.164 format.
     

3. Call Routing is where you choose your normal destination for calls. In most cases, you will be using Endpoint Group.

   • There are use cases for the other options, but those are not covered in this guide.
     

4. Once you select Endpoint Group in Call Routing you get two new options inserted before Call Failure Routing.
   

5. Endpoint Group is here you select the Endpoint Group you previously created.

   • I have other Groups (obfuscated), you should only have the one at this point, Select it.
     

6. Endpoint Choice will not be used by most users as they only have one Endpoint in their Endpoint Group.

   • But if you have more than one, you can chose how this number chooses one. The default is By priority, and the priority is set in the Endpoint Group.
     

7. Call Failure Routing is what you want to happen to the call is Skyetel cannot reach your PBX. Leave it at the default until you go read the guide on this feature.
   

8. Tenant is an advanced need. If you have these set up, then you would select it here.
   

9. Description is useful when you have a lot of phone numbers. It lets you know at a glance what the purpose of that number is. If you only have one or two numbers, it is less important.
   

10. Click Save and the number will begin routing to your PBX. Typically within seconds, but it can take up to a minute to fully propagate.

Bundy & Associates uses Skyetel as their go to SIP trunk provider because of the high quality of service and the low cost.

Setting up a FreePBX or PBXact system to use Skyetel is a very easy process, but does have a few steps that can confuse the inexperienced.

1. Create an Endpoint Group in Skyetel to point to your PBX.
2. Set the phone number(s) in your Skyetel portal to route to your PBX.
3. Create the Skyetel Inbound Trunk
4. Create the Skyetel Outbound Trunk for North America
5. Create the Skyetel Outbound Trunk for International

Create the Endpoint Group

1. Log in and expand Endpoints.
2. Click on Endpoint Groups.
3. Click on Add Endpoint Group.
   

Enter your PBX information, this creates an Endpoint Group and the first Endpoint inside the group.

1. Name is the name you will see for the endpoint group.
2. IP Address is the public IP address of your PBX.
3. Description is the description of the actual endpoint.
4. Click Add to finish.
   

Now you want to click on Endpoint Health to see your new group and set some alerts for it.

• Note, it will show your system down. This is because you have not yet set anything up in FreePBX to listen for it. One step at a time.
  

Click on Set under Fraud Alerts

1. Enter a value that is equal to the maximum number of simultaneous call you expect to have.
   • For example, if you used to have six lines from AT&T or Spectrum, then put 6 here to start.
2. Read what is highlighted!! It is not going to be Skyetel's fault if you have a bad actor on your system. It is your responsibility to keep an eye on your system.
3. Click Save
   

Now click on the toggle to enable uptime alerts.

• This is useful as Skyetel will then send you an email and text message (if you have a number in your profile) when two or more regions cannot reach your Endpoint.
  • It will use the Description from the Endpoint as set above. So make sure you populate that to something you understand.
    

Finally click on View more to see some advanced features.

• For now, the only thing to do is click in the circle in front of Network QOS. This will have Skyetel's system being to collect metrics from the "Hello, are you alive?" packets it sends to your Endpoint.
• There is a second section on this page for SNMP Metrics, but that is an advanced topic that will have its own guide.
  

Once it has been enabled and your PBX has been on line for a while, you will begin to see very useful data on this page. Here is a sample from a different Endpoint.

If your IT department is doing things right, then the user account that you log in to a computer with will not have administrative access.

In the Linux ecosystem this is called sudo access.

Normally an accout is made with sudo rights that is only used as needed.

If the password for this account is lost, then there is no longer a way to administer the computer.

In the Windows world, you shutdown the system and then boot to a specially crafted USB boot disk that you can read the Windows information and then reset the admin password.

For Linux, it is easier. You simply need to reboot and interrupt the normal grub boot sequence to get into single user mode.

1. Reboot the system.
   • As soon as it powers back on begin tapping the ESC key.
     Technically, we are only wanting to stop grub from automatically booting. but with modern SSD or NVMe drives, this can go by so fast you never knew it was available to interrupt.
2. The first grub entry should be highlighted by default and is normally the one you want. Press e to edit that entry.
3. Find the line beginning with linux
4. Go to the end of the line and add init=/bin/bash
5. Press F10 to boot to this modified file without permanently saving it.
6. The system will boot to a command prompt similar to root@(none):/#
7. Enter mount -o remount,rw / and press Enter.
8. Now you can reset the admin account password with the passwd command: passwd YOURADMINNAME.
9. Enter the new password, then again to confirm it.
10. Type exit and then use the power button to reboot the computer.

There are many reasons that you may need an SSH key setup on your system. Some of the most common reasons are connecting to git repository and connecting to a Linux server.

This used to be a painful process, as Microsoft did not include OpenSSH in the operating system. Thankfully they rectified that over a year ago.

As long as you are running an up to date version of Windows 10, you will have no problems following along.

1. Right click on the start button and choose Windows PowerShell

   • If your system says Command Prompt you are either not up to date, or you intentionally changed it back.
     

2. In the powershell windows, run the ssh-keygen command as follows:

   • The -t ed25519 tell it which algorithm to use.
   • The -C "Work Computer" is a comment that makes it easy to know what a key was created on. Update appropriately.

ssh-keygen -t ed25519 -C "Work Computer"

3. It will prompt where to save the file. You will almost always want to use the default. Just press enter to accept the default.
   
4. It will ask for a passphrase. Generally, I do not set a passphrase on my SSH keys, but there are valid reasons to do so depending on your environment. Press enter again for no passphrase.
   
5. It will ask you to confirm the passphrase, even if you left it blank. Press enter again.
   
6. It will then create your key and spit out some information about the key. Congratulations, you now have an SSH keypair available for use.
   

This is why I recommend the -C command in the key generation. It puts whatever was in the comment out at the end of the public key string.

This useful when you add the key to things like GitLab. It will automatically title the key with that comment.

Once you have done your initial discovery and know how your current PBX operates, you can then figure out the best place to put your new FreePBX system.

This will be different for every organization and has to be based on what works best for the business.

You have two choices.

1. Host it on your internal virtualization infrastructure
2. Host it on a public virtualization platform

Can it be installed on a physical appliance? Sure, but you would not want to run your main line of business application on random hardware, so why would you run your phone system that way?

You have to base this decision on a number of things.
Below is a general guideline to think about.

• Do you have a solid virtualization platform in place locally
  • if no, make the PBX hosted
  • if yes, make the PBX hosted or local
• Do you have more than one site needing to register phone to this PBX
  • make the PBX hosted
• Do you have solid backups locally
  • if no, make the PBX hosted
  • if yes, make the PBX hosted or local
• Do you have solid internet for the total concurrent call volume and well as extension to extension volume
  • if yes, make the PBX hosted
  • if no, make the PBX local
• What Needs to survive the most when the internet goes down
  • extension to extension calling
    • make the PBX local
  • inbound customer calls getting handled
    • make the PBX hosted

There are always more things to consider, but those are the key factors.

Each of them need thought about without emotion to determine what is best for the business.

Before you install

• Initial Discovery
• Decide where you want your PBX
• Decide where to get your phone service from
  • Estimating costs

---

Installation
Once you know have worked through the items above, you are ready to begin installing FreePBX.

For this guide, we will use Vultr to host the system.
There are only a few differences in steps 2 and 3 if you do not use Vultr.
The rest of the guide is the same, irregardless of where you host the system.

1. Creating a FreePBX Instance on Vultr
2. ISO Installation
3. Standard Setup Part 1: Command Line
4. Standard Setup Part 2: Initial GUI Wizard
5. Configure the Firewall
6. System Admin setup
7. Create your first exentsions
8. Trunk setup
9. Conference setup
10. Ring group setup
11. Creating system recordings
12. IVR setup
13. Using time groups and time conditions
14. Caller ID setup
15. Inbound call routing
16. Outbound call routing

Setting up Desk Phones

• With Endpoint Manager
• Manually - git backed

Sangoma continually updates FreePBX.

Because of that, this guide will generalize some terms where possible.

Screens may differ after an update.

---

1. Upon first log in to the web interface, you will be presented with this screen to create the initial admin user account.
   

2. Create a username and secure password.
   

3. Enter an email address for the user. This can be changed later if needed.
   

4. Give the system a name. This will used in various system emails that are generated, as well as in voicemail notification emails.
   

5. Change the update settings as desired.
   We recommend not using automatic updates, but instead actively updating things monthly. Enable email notification, in order to be made aware of anything important.
   Finally, set it to check daily in the morning. You don't need yet another system email coming in over night when sleeping.
   

6. Click Setup system
   

7. The system will apply the settings and you will be presented with the standard FreePBX home screen. Click on FreePBX Administration.
   

8. Enter your just created administrator log in and click continue.
   

9. You will be asked to activate your system. There is no cost to it and you will want your system activated, but this screen has been intermittently buggy. Click Skip, you will activate it later.
   

10. Now you will get a couple screens of advertisement for Sangoma owned products. Click skip on each of them. If you want the product you can order it later.
    
    

11. Set your default locale information as appropriate for your needs.
    

12. The red Apply Config button will appear at the top, ignore it for now.
    

13. The system will now ask you to setup the built in firewall. We alays recommend this be enabled. Even if your system if behind a hardware firewall and NAT. Click continue.
    

14. Click Next.
    

15. Click Yes here, or you can lock yourself out during the initial setup. This will be modified later.
    

16. Click No here, even if you are on a local LAN that you want trusted. For now, you only care that the computer you are doing the setup from is allowed access.
    

17. Click No to the responsive firewall. This is a very useful tool depending on your needs. It is something to configure later, not during initial setup.
    

18. Click Yes here, to let the system correctly setup your Asterisk settings. They can be changed later, but this is the easiest way to get it right for most people.
    

19. If your browser pops up a warning about resending, click resend.
    

20. At this point the FreePBX dashboard will load.
    

21. Now click the Apply Config button.
    

22. You will see a reloading screen.
    

23. You have completed the Initial GUI wizard. Welcome to FreePBX.

When we setup FreePBX, clients will often elect not to purchase the Endpoint Manager (EPM) commercial module.

They do this because once the physical phones are setup, they almost never make changes often that require learning how to use and maintain the endpoints via EPM.

EPM is a solid product for a very reasonable cost. But like all things, the cost must be weighed against the benefit.

For customers that do not use EPM, we setup a private git repository to easily maintain things. To automate that, the PBX needs to use key based SSH.

Everything FreePBX does is owned by the user asterisk so you need to create a keypair under that user.

1. Log in to your PBX console via ssh as yourself.
   ssh pbx.domain.com or ssh [email protected]

2. Switch to the asterisk user.
   sudo su asterisk

3. Create the ssh keypair using modern strong methods.
   ssh-keygen -o -t ed25519 -C "FreePBX Asterisk User"

4. It will ask what directory, to store the key, press enter.
   The default is what you want: /home/asterisk/.ssh

5. It will ask for a passphrase, do not enter anything. This is for automation, there will be no user to enter the passphrase every time the key is used.

6. It will ask to confirm the passphrase, press enter again.

7. It will then display the key fingerprint and ascii art.
   

Sangoma continually updates FreePBX.

Because of that, this guide will generalize some terms where possible.

Screens may differ after an update.

---

If your method for accessing the console does not allow you to copy and paste into the console, then we strongly recommend that you use SSH, as the root user, for this initial setup.

This process requires that you have created a SSH keypair for secure login to Linux systems.

If you need instruction for that see: Creating an ed25519 key in Windows 10

---

1. However you installed FreePBX from the ISO, when that installation completes, the console screen should be waiting for a log in.

   1. The only login available immediately after installation will be the root user.
   2. You can log in to the console or via SSH. Be aware of the notice above about copy and paste.
      1. On the Console, enter root for the login and hit enter.
      2. Enter the root password you set during installation, the password will not be echoed back, then press enter.
         
      3. Or log in initially via SSH.
         
   3. Either way you will be greeted by the standard FreePBX message of the day (MOTD).
      

2. The first thing to do is to secure SSH. This is accomplished by:

   1. Creating a non-root user with administrator rights (sudo).
   2. Disabling the ability of the root user to log with the SSH protocol.
   3. Disabling the ability to log in with a password.
   4. We have created a script to handle this initial root setup process. If you want to do it manually, please read the script to see how we did it.

3. Execute this command to download the script from our public GitLab with this command:
   wget https://gitlab.com/bundyassociates/freepbx-scripts/setup-scripts/-/raw/master/root_setup.sh
   

4. Set the downloaded script to be executable: chmod +x root_setup.sh
   

5. Execute the script: ./root_setup.sh

   1. It will prompt for your SSH username
      
   2. Then tell you to log out.
      

6. Logout of the root session by entering: exit

7. Log in as the user you just created. You will be forced to update your password.

   1. Your current password is: ChangeMe
   2. Your new password can be whatever you want, try to be a bit secure about it.
   3. You will enter ChangeMe once to log in. Then again as the "current password" to be changed.
   4. It will automatically log you out after changing your password.
      

8. Before logging back in, you need to copy your SSH public key to the system.
   The command to do that is: ssh-copy-id [email protected]
   
   I have multiple keys on my system, so I need to specify the key I want to use with the -i option.

9. Log in via SSH again, it will not ask for a password.
   

10. Execute, with sudo, the setup script that was pre-downloaded during the root setup.
    sudo ./setup.sh

11. You will be prompted for your password in order to execute the commands in the script with sudo access.
    

12. Get a coffee, this will take a while to finish.
    

    1. Especially if the updates include a new Linux kernel.
       

13. When completed, it will tell you to reboot and go to the web interface to complete the setup.
    

14. Reboot the system as instructed
    sudo reboot
    

15. Wait for the reboot to complete and then go to the web interface as previously instructed to complete the setup.

    1. You know the reboot is complete when the console screen returns to this.
       
    2. Be prepared for warnings about insecure connections the the web interface. Part of the GUI process will be to create a valid SSL certificate.
       

Sangoma creates FreePBX installation ISO files several times per year.

Because of that, this guide will generalize some terms where possible.

Screens may differ after an update.

---

1. Once you boot to the ISO file, you will be presented with a screen to select what version of Asterisk you want to install.
   

2. For most companies, there is no reason to stay back on an LTS version, I always recommend using the current release. That is Asterisk 17 as of the writing of this guide. So select that version with the arrow keys on the keyboard and hit enter.
   

3. On the next screen, leave it on Output to VGA and hit enter.
   

4. Hit enter again on the next screen, confirming what you previously chose.
   

5. You will now see various Linux boot screens go past.
   
   
   
   

6. When you see this screen, click on ROOT PASSWORD to set the Linux root user password.
   

7. Enter the password twice, and then click done on the top left.
   

8. It will show that the root password has been set.
   

9. Now wait for the reboot button to appear on the bottom right. Depending on the resources of the system you are installing on, this can take up to 10 minutes. Once it appears, click reboot.
   

10. Your system should boot to the Linux login prompt.
    If your system does not automatically eject the installation media, Vultr instances do not, you will get the initial setup screen again. Manually remove the installation media and reboot again.
    

11. The FreePBX ISO Installation is complete. You can now continue with the FreePBX Standard Setup Part 1: Command Line guide.

1. Log in to your Vultr account. You will be presented with your existing instances, if you have any.
   https://my.vultr.com
   

2. On the upper right of the page will be a blue button. Click on it to deploy a new instance.

   1. If you mouse over it, you will see that there are more options, but the default action on this screen is to deploy a new instance.
      

3. Under the Choose Server heading, ensure that Cloud Compute is selected.
   

4. Under the Server Location heading, choose a location regionally close to where most of the phones will be, Chicago in this example.
   

5. Under the Server Type heading, choose ISO Library.
   

6. Then look for FreePBX, there may be more than one. Choose the newest.

   1. The date code is YYMM-R (year, month, release in month. August 2020, release 1 in this example.
      

7. Under the Server Size heading, choose the appropriate sized instance for the PBX.

   1. The specific size depends on the needs of the location, if unsure, always start with the $5 instance.
      1. An office with ~20 concurrent calls and ~200 extensions will run just fine on a $5 instance.
   2. Instances can always be scaled up. They cannot be scaled down.
      

8. Under the Additional Features heading, check the option for automatic backups.

   1. The price is based on the instance size, for example the $10 instance is $1.25
      

9. Under the Firewall Group heading, leave it at no firewall.
   

10. Under the Server Hostname & Label header, give the system a label. The hostname is irrelevant for FreePBX installs.

    1. The label is what you see in the Vultr list of instances
       

11. You will see a cost summary on the bottom left.
    

12. Click on the Deploy Now button on the bottom right.
    

13. The screen will go back to the list of instances. Your new instance will say Installing.
    

14. When the instance changes to running, click on the three dots to the right of the instance and then on View Console. This will open the virtual console where you will complete the FreePBX ISO Installation process.
    

15. The virtual console will open and you will see Sangoma's customized installation menu for FreePBX.
    

16. At this point, switch to the FreePBX ISO Installation guide.

    1. You will come back to this guide for a few more steps after the ISO installation guide competes the first reboot.

17. Once the FreePBX ISO Installation has completed the first reboot, you will need to remove the ISO.

18. Click on the instance name or server details from the menu.
    

19. 1. Click on Settings.
       

20. Click on Custom ISO.
    

21. Click on the Remove ISO button.
    

22. You will be prompted to confirm the ISO removal. Click Remove ISO again.

23. When you remove the ISO, the Console will look like this, close the window as you will have to reopen the console.
    

24. Click on the Console button on the top of the instance detail screen.

    1. If you changed back to the instance list, you can access the console as mentioned in step 14.
       

25. You will see the instance has booted normally.
    

26. You will now switch to the FreePBX Standard Setup Part 1: Command Line guide.

Setup NodeBB with PostgrSQL on Fedora 33 with Nginx and HTTPS only

• Why PostgreSQL? Because Mongo licensing complexities.
• As with many of my more recent guides, I'll be using environment variables.
  • Do not log out of your Console/SSH session until this is complete.

Create a random password for PostgreSQL's admin user account

export DB_ROOT_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"

Database name to use for application

export DB_NAME='nodebb'

Database user to use for application

export DB_USER='nbbuser'

Generate a random password for the database user

export DB_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"

The location to install the application

export APP_PATH='/opt/nodebb'

The FQDN of the application

export FQDN='community.domain.com'

Path to the SSL certificates and key

export SSL_KEY_PATH='/etc/pki/tls/private/cforigin.domain.com.key'
export SSL_CERT_PATH='/etc/pki/tls/certs/cforigin.domain.com.pem'
export SSL_CA_CERT_PATH='/etc/pki/tls/certs/cfchain.domain.com.pem'

Dump the environment variables to a file in the current directory for later reference.

cat >> setup.info << EOF
PostgreSQL Database Name    : $DB_NAME
Database User               : $DB_USER
Database User Password      : $DB_PASS
Database Root Password      : $DB_ROOT_PASS
Application Path            : $APP_PATH
FQDN                        : $FQDN
SSL Certificate Path        : $SSL_CERT_PATH
SSL Key Path                : $SSL_KEY_PATH
SSL CA Certificate Path     : $SSL_CA_CERT_PATH
EOF

Update the Operating System

sudo dnf upgrade -y --refresh

These are tools I use on pretty much every Fedora instance

• Configuration of them, if required, is not covered here.

sudo dnf install -y nano sysstat glances htop dnf-automatic

Install the packages required for PostgreSQL backed NodeBB

sudo dnf install -y git nginx nodejs postgresql-server policycoreutils-python-utils

Initialize the PostgreSQL database

sudo /usr/bin/postgresql-setup initdb

Enable and start the database

sudo systemctl enable --now postgresql

Enable and start Nginx to be the proxy

sudo systemctl enable --now nginx

Update the firewall to allow the needed connections

sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Tell SELinux to allow the webserver to connect to the local network

sudo setsebool -P httpd_can_network_connect on

Create user and database to be used by NodeBB

• this spews an error about changing directories, but still creates.
  • Need to fix that. This is my first time scripting PostgreSQL

sudo -u postgres psql -c "create user $DB_USER with encrypted password '$DB_PASS'"
sudo -u postgres psql -c "create database $DB_NAME"
sudo -u postgres psql -c "grant all privileges on database $DB_NAME to $DB_USER"

Set a password for the admin user (postgres)

sudo -u postgres psql -c "alter user postgres with password '$DB_ROOT_PASS'"

Update PostgreSQL to use database user login information.

sudo sed -i 's/ident$/md5/g' /var/lib/pgsql/data/pg_hba.conf

Restart PostgreSQL

sudo systemctl restart postgresql

Create application directory.

sudo mkdir -p $APP_PATH

Download NodeBB

• As of the creation of this guide, the current branch is v1.15.x
• Update accordingly.

sudo git clone -b v1.15.x https://github.com/NodeBB/NodeBB.git $APP_PATH

Create the user account to run the application

sudo adduser nodebb --system --create-home

Set ownership to the user that will be running the application

sudo chown -R nodebb:nodebb $APP_PATH

Setup a strong Diffie-Hellman parameter

sudo mkdir -p /etc/nginx/dhparam
sudo openssl dhparam -outform PEM -out /etc/nginx/dhparam/dhparam.pem -2 2048

Create the SSL certificate

• You will need to prep these steps in a vscode window or something
• You do not want to mess this up, or else Nginx will not start.

sudo tee $SSL_CERT_PATH > /dev/null << EOF
-----BEGIN CERTIFICATE-----
Put everything from your CERTIFICATE file here...
-----END CERTIFICATE-----
EOF

Create the SSL private key

sudo tee $SSL_KEY_PATH > /dev/null << EOF
-----BEGIN PRIVATE KEY-----
Put everything from your KEY file here...
-----END PRIVATE KEY-----
EOF

Create the SSL CA certificate chain

sudo tee $SSL_CA_CERT_PATH > /dev/null << EOF
-----BEGIN CERTIFICATE-----
Put everything from your CA CERT CHAIN file here...
-----END CERTIFICATE-----
EOF

Set the permissions of the SSL files.

sudo chmod 644 $SSL_CA_CERT_PATH
sudo chmod 644 $SSL_CERT_PATH
sudo chmod 600 $SSL_KEY_PATH

Setup up the Nginx configuration file for the application.

sudo tee /etc/nginx/conf.d/nodebb.conf > /dev/null << EOF
server {
    # Based on Mozilla intermediate configuration https://ssl-config.mozilla.org/
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name $FQDN;

    ssl_certificate $SSL_CERT_PATH;
    ssl_certificate_key $SSL_KEY_PATH;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_dhparam /etc/nginx/dhparam/dhparam.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate $SSL_CA_CERT_PATH;

    # replace with the IP address of your resolver
    resolver 1.1.1.1;

    location / {
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_set_header Host \$http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:4567;  # no trailing slash
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
EOF

Restart Nginx

sudo systemctl restart nginx

Show the setup.info file with the Database passwords.

• You will need to know the DB info, as it will be used in the setup wizard during the next step.

cat setup.info

Change to the directory that NodeBB was installed to and run the NodeBB setup wizard

• Build fails if you try to execute from your home directory with the full path

cd $APP_PATH
sudo -u nodebb ./nodebb setup